Starting August 1st, vendors who want to provide wireless products on the EU market must meet new cybersecurity compliance requirements. Rest assured, though, that atsec is ready and able to perform the necessary testing for these devices.
First, let’s quickly recap what vendors are going to be on the hook for come August:
The Radio Equipment Directive (RED) 2014/53/EU defines essential requirements for radio equipment sold in the EU and sets the baseline for vendors, but the introduction of cybersecurity requirements under Delegated Regulation (EU) 2022/30 contains new obligations for vendors.
Effective August 1st, 2025, wireless-connected products on the EU market must demonstrate compliance with the following cybersecurity-related RED essential requirements:
- Article 3(3)(d): Protection of networks from harm or misuse.
- Article 3(3)(e): Protection of personal data and privacy.
- Article 3(3)(f): Protection from fraud and unauthorized access.
These apply to a wide range of consumer and Internet of Things (IoT) devices, including mobile phones, laptops, smartwatches, routers, connected toys, and smart home devices.
To assist vendors, the European Commission now formally cites the EN 18031 series of standards as the harmonised standards under RED Articles 3(3)(d–f), meaning vendors who conform to EN 18031 benefit from the presumption of conformity with the RED cybersecurity requirements.
Given the RED cybersecurity provisions are no longer a future requirement and the path to compliance is clearly defined through EN 18031, atsec is ready to both guide you through the new RED cybersecurity framework and perform testing of your devices according to EN 18031 requirements.
If you’re ready to get started with testing, you can get in touch with us via email on our Contact page. For those of you who want to know a bit more, let’s dive into the assessment procedures briefly.
Conformity Assessment Procedure
To demonstrate conformity, vendors must carry out a conformity assessment to ensure they meet the essential requirements set in Article 3. They can perform one of three conformity assessment procedures:
- Module A: Internal Production Control (Self-Declaration)
- Module B: EU Type Examination + Module C: Conformity to type based on internal production control
- Module H: Conformity Based on Full Quality Assurance
Module A is the most common selection and preferred for vendors because it empowers them to manage their own compliance process. However, there can be specific restrictions concerning the cybersecurity requirements that state certain clauses or conditions within the standard do not confer presumption of conformity, meaning a Notifying Body might be required for those specific aspects. For instance, if a product allows a user to not set a password, even if a harmonized standard is applied (e.g. EN 18031) the presumption of conformity for certain cybersecurity requirements might not apply.
If a vendor does not apply harmonised standards in full, or if no harmonised standards exist for their specific product or the relevant essential requirements, then they typically must involve a Notifying Body in their conformity assessment.
